Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getGroupNames()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#getGroupNames() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: twill   File: LocationTestBase.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testOwnerGroup() throws Exception {
  final LocationFactory factory = locationFactoryCache.getUnchecked("ownergroup");

  UserGroupInformation testUGI = createTestUGI();
  Location location = testUGI.doAs(new PrivilegedExceptionAction<Location>() {
    @Override
    public Location run() throws Exception {
      return factory.create("ogtest");
    }
  });

  location.createNew();
  Assert.assertEquals(testUGI.getUserName(), location.getOwner());

  String group = testUGI.getGroupNames()[0];

  location.setGroup(group);
  Assert.assertEquals(group, location.getGroup());
}
 
Example 2
Source Project: ranger   File: MiscUtil.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * @param userName
 * @return
 */
static public Set<String> getGroupsForRequestUser(String userName) {
	if (userName != null) {
		try {
			UserGroupInformation ugi = UserGroupInformation
					.createRemoteUser(userName);
			String[] groups = ugi.getGroupNames();
			if (groups != null && groups.length > 0) {
				Set<String> groupsSet = new java.util.HashSet<String>();
				for (String group : groups) {
					groupsSet.add(group);
				}
				return groupsSet;
			}
		} catch (Throwable e) {
			logErrorMessageByInterval(logger,
					"Error getting groups for users. userName=" + userName, e);
		}
	}
	return Collections.emptySet();
}
 
Example 3
/** HELPER FUNCTIONS **/

  private RangerPrestoAccessRequest createAccessRequest(RangerPrestoResource resource, SystemSecurityContext context, PrestoAccessType accessType) {
    Set<String> userGroups = null;

    if (useUgi) {
      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser());

      String[] groups = ugi != null ? ugi.getGroupNames() : null;

      if (groups != null && groups.length > 0) {
        userGroups = new HashSet<>(Arrays.asList(groups));
      }
    } else {
      userGroups = context.getIdentity().getGroups();
    }

    RangerPrestoAccessRequest request = new RangerPrestoAccessRequest(
      resource,
      context.getIdentity().getUser(),
      userGroups,
      accessType
    );

    return request;
  }
 
Example 4
Source Project: hbase   File: TestUser.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testCacheGetGroupsRoot() throws Exception {
  // Windows users don't have a root user.
  // However pretty much every other *NIX os will have root.
  if (!SystemUtils.IS_OS_WINDOWS) {
    Configuration conf = HBaseConfiguration.create();
    UserProvider up = UserProvider.instantiate(conf);


    String rootUserName = "root";

    // Create two UGI's for this username
    UserGroupInformation ugiOne = UserGroupInformation.createRemoteUser(rootUserName);
    UserGroupInformation ugiTwo = UserGroupInformation.createRemoteUser(rootUserName);

    // Now try and get the user twice.
    User uOne = up.create(ugiOne);
    User uTwo = up.create(ugiTwo);

    // Make sure that we didn't break groups and everything worked well.
    assertArrayEquals(uOne.getGroupNames(),uTwo.getGroupNames());
    String[] groupNames = ugiOne.getGroupNames();
    assertTrue(groupNames.length > 0);
  }
}
 
Example 5
Source Project: hadoop-ozone   File: OmOzoneAclMap.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Helper function to check acl access for OzoneAclType.
 * */
private boolean checkAccessForOzoneAclType(OzoneAclType identityType,
    ACLType acl, UserGroupInformation ugi) {

  switch (identityType) {
  case USER:
    return OzoneAclUtil.checkIfAclBitIsSet(acl, getAcl(identityType,
        ugi.getUserName()));
  case GROUP:
    // Check access for user groups.
    for (String userGroup : ugi.getGroupNames()) {
      if (OzoneAclUtil.checkIfAclBitIsSet(acl, getAcl(identityType,
          userGroup))) {
        // Return true if any user group has required permission.
        return true;
      }
    }
    break;
  default:
    // For type WORLD and ANONYMOUS we set acl type as name.
    if(OzoneAclUtil.checkIfAclBitIsSet(acl, getAcl(identityType,
        identityType.name()))) {
      return true;
    }

  }
  return false;
}
 
Example 6
Source Project: Bats   File: ImpersonationUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Given admin user/group list, finds whether the given username has admin privileges.
 *
 * @param userName User who is checked for administrative privileges.
 * @param adminUsers Comma separated list of admin usernames,
 * @param adminGroups Comma separated list of admin usergroups
 * @return True if the user has admin priveleges. False otherwise.
 */
public static boolean hasAdminPrivileges(final String userName, final String adminUsers, final String adminGroups) {
  // Process user is by default an admin
  if (getProcessUserName().equals(userName)) {
    return true;
  }

  final Set<String> adminUsersSet = Sets.newHashSet(SPLITTER.split(adminUsers));
  if (adminUsersSet.contains(userName)) {
    return true;
  }

  final UserGroupInformation ugi = createProxyUgi(userName);
  final String[] userGroups = ugi.getGroupNames();
  if (userGroups == null || userGroups.length == 0) {
    return false;
  }

  final Set<String> adminUserGroupsSet = Sets.newHashSet(SPLITTER.split(adminGroups));
  for (String userGroup : userGroups) {
    if (adminUserGroupsSet.contains(userGroup)) {
      return true;
    }
  }

  return false;
}
 
Example 7
Source Project: hadoop   File: AccessControlList.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Checks if a user represented by the provided {@link UserGroupInformation}
 * is a member of the Access Control List
 * @param ugi UserGroupInformation to check if contained in the ACL
 * @return true if ugi is member of the list
 */
public final boolean isUserInList(UserGroupInformation ugi) {
  if (allAllowed || users.contains(ugi.getShortUserName())) {
    return true;
  } else {
    for(String group: ugi.getGroupNames()) {
      if (groups.contains(group)) {
        return true;
      }
    }
  }
  return false;
}
 
Example 8
Source Project: hadoop   File: GetGroupsTestBase.java    License: Apache License 2.0 5 votes vote down vote up
private static String getExpectedOutput(UserGroupInformation user) {
  String expectedOutput = user.getUserName() + " :";
  for (String group : user.getGroupNames()) {
    expectedOutput += " " + group;
  }
  return expectedOutput + System.getProperty("line.separator");
}
 
Example 9
Source Project: big-c   File: AccessControlList.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Checks if a user represented by the provided {@link UserGroupInformation}
 * is a member of the Access Control List
 * @param ugi UserGroupInformation to check if contained in the ACL
 * @return true if ugi is member of the list
 */
public final boolean isUserInList(UserGroupInformation ugi) {
  if (allAllowed || users.contains(ugi.getShortUserName())) {
    return true;
  } else {
    for(String group: ugi.getGroupNames()) {
      if (groups.contains(group)) {
        return true;
      }
    }
  }
  return false;
}
 
Example 10
Source Project: big-c   File: GetGroupsTestBase.java    License: Apache License 2.0 5 votes vote down vote up
private static String getExpectedOutput(UserGroupInformation user) {
  String expectedOutput = user.getUserName() + " :";
  for (String group : user.getGroupNames()) {
    expectedOutput += " " + group;
  }
  return expectedOutput + System.getProperty("line.separator");
}
 
Example 11
Source Project: RDFS   File: TestQueueManager.java    License: Apache License 2.0 5 votes vote down vote up
public void testGroupsEnabledACLForJobSubmission() 
                                  throws IOException, LoginException {
  // login as self, get one group, and add in allowed list.
  UserGroupInformation ugi = UnixUserGroupInformation.login();
  String[] groups = ugi.getGroupNames();
  assertTrue(groups.length > 0);
  JobConf conf = setupConf("mapred.queue.default.acl-submit-job",
                              "3698-junk-user1,3698-junk-user2 " 
                                + groups[groups.length-1] 
                                         + ",3698-junk-group");
  verifyJobSubmission(conf, true);
}
 
Example 12
Source Project: hadoop-gpu   File: TestQueueManager.java    License: Apache License 2.0 5 votes vote down vote up
public void testGroupsEnabledACLForJobSubmission() 
                                  throws IOException, LoginException {
  // login as self, get one group, and add in allowed list.
  UserGroupInformation ugi = UnixUserGroupInformation.login();
  String[] groups = ugi.getGroupNames();
  assertTrue(groups.length > 0);
  JobConf conf = setupConf("mapred.queue.default.acl-submit-job",
                              "3698-junk-user1,3698-junk-user2 " 
                                + groups[groups.length-1] 
                                         + ",3698-junk-group");
  verifyJobSubmission(conf, true);
}
 
Example 13
Source Project: hadoop   File: TestRMAdminService.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void
    testRefreshUserToGroupsMappingsWithFileSystemBasedConfigurationProvider()
        throws IOException, YarnException {
  configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
      "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");

  String[] defaultTestUserGroups = {"dummy_group1", "dummy_group2"};
  UserGroupInformation ugi = UserGroupInformation.createUserForTesting
      ("dummyUser", defaultTestUserGroups);

  String user = ugi.getUserName();
  List<String> groupWithInit = new ArrayList<String>(2);
   for(int i = 0; i < ugi.getGroupNames().length; i++ ) {
     groupWithInit.add(ugi.getGroupNames()[i]);
   }

  // upload default configurations
  uploadDefaultConfiguration();
  Configuration conf = new Configuration();
  conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  uploadConfiguration(conf, "core-site.xml");

  try {
    rm = new MockRM(configuration);
    rm.init(configuration);
    rm.start();
  } catch (Exception ex) {
    fail("Should not get any exceptions");
  }

  // Make sure RM will use the updated GroupMappingServiceProvider
  List<String> groupBefore =
      new ArrayList<String>(Groups.getUserToGroupsMappingService(
          configuration).getGroups(user));
  Assert.assertTrue(groupBefore.contains("test_group_A")
      && groupBefore.contains("test_group_B")
      && groupBefore.contains("test_group_C") && groupBefore.size() == 3);
  Assert.assertTrue(groupWithInit.size() != groupBefore.size());
  Assert.assertFalse(groupWithInit.contains("test_group_A")
      || groupWithInit.contains("test_group_B")
      || groupWithInit.contains("test_group_C"));

  // update the groups
  MockUnixGroupsMapping.updateGroups();

  rm.adminService
      .refreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest
          .newInstance());
  List<String> groupAfter =
      Groups.getUserToGroupsMappingService(configuration).getGroups(user);

  // should get the updated groups
  Assert.assertTrue(groupAfter.contains("test_group_D")
      && groupAfter.contains("test_group_E")
      && groupAfter.contains("test_group_F") && groupAfter.size() == 3);

}
 
Example 14
Source Project: big-c   File: TestRMAdminService.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void
    testRefreshUserToGroupsMappingsWithFileSystemBasedConfigurationProvider()
        throws IOException, YarnException {
  configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
      "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");

  String[] defaultTestUserGroups = {"dummy_group1", "dummy_group2"};
  UserGroupInformation ugi = UserGroupInformation.createUserForTesting
      ("dummyUser", defaultTestUserGroups);

  String user = ugi.getUserName();
  List<String> groupWithInit = new ArrayList<String>(2);
   for(int i = 0; i < ugi.getGroupNames().length; i++ ) {
     groupWithInit.add(ugi.getGroupNames()[i]);
   }

  // upload default configurations
  uploadDefaultConfiguration();
  Configuration conf = new Configuration();
  conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  uploadConfiguration(conf, "core-site.xml");

  try {
    rm = new MockRM(configuration);
    rm.init(configuration);
    rm.start();
  } catch (Exception ex) {
    fail("Should not get any exceptions");
  }

  // Make sure RM will use the updated GroupMappingServiceProvider
  List<String> groupBefore =
      new ArrayList<String>(Groups.getUserToGroupsMappingService(
          configuration).getGroups(user));
  Assert.assertTrue(groupBefore.contains("test_group_A")
      && groupBefore.contains("test_group_B")
      && groupBefore.contains("test_group_C") && groupBefore.size() == 3);
  Assert.assertTrue(groupWithInit.size() != groupBefore.size());
  Assert.assertFalse(groupWithInit.contains("test_group_A")
      || groupWithInit.contains("test_group_B")
      || groupWithInit.contains("test_group_C"));

  // update the groups
  MockUnixGroupsMapping.updateGroups();

  rm.adminService
      .refreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest
          .newInstance());
  List<String> groupAfter =
      Groups.getUserToGroupsMappingService(configuration).getGroups(user);

  // should get the updated groups
  Assert.assertTrue(groupAfter.contains("test_group_D")
      && groupAfter.contains("test_group_E")
      && groupAfter.contains("test_group_F") && groupAfter.size() == 3);

}
 
Example 15
Source Project: ranger   File: RangerStormAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
/**
    * permit() method is invoked for each incoming Thrift request.
    * @param aRequestContext request context includes info about
    * @param aOperationName operation name
    * @param aTopologyConfigMap configuration of targeted topology
    * @return true if the request is authorized, false if reject
    */

@Override
public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) {
	
	boolean accessAllowed = false;
	boolean isAuditEnabled = false;

	String topologyName = null;

	RangerPerfTracer perf = null;

	try {

		if(RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
			perf = RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG, "RangerStormAuthorizer.permit()");
		}

		topologyName = (aTopologyConfigMap == null ? "" : (String)aTopologyConfigMap.get(Config.TOPOLOGY_NAME));

		if (LOG.isDebugEnabled()) {
			LOG.debug("[req "+ aRequestContext.requestID()+ "] Access "
	                + " from: [" + aRequestContext.remoteAddress() + "]"
	                + " user: [" + aRequestContext.principal() + "],"
	                + " op:   [" + aOperationName + "],"
	                + "topology: [" + topologyName + "]");
			
			if (aTopologyConfigMap != null) {
				for(Object keyObj : aTopologyConfigMap.keySet()) {
					Object valObj = aTopologyConfigMap.get(keyObj);
					LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
				}
			}
			else {
				LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
			}
		}

		if(noAuthzOperations.contains(aOperationName)) {
			accessAllowed = true;
		} else if(plugin == null) {
			LOG.info("Ranger plugin not initialized yet! Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
		} else {
			String userName = null;
			String[] groups = null;

			Principal user = aRequestContext.principal();
		
			if (user != null) {
				userName = user.getName();
				if (userName != null) {
					UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
					userName = ugi.getShortUserName();
					groups = ugi.getGroupNames();
					if (LOG.isDebugEnabled()) {
						LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]");
					}
				}
			}
			
			
			if (userName != null) {
				String clientIp =  (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() );
				RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName);
				RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
				accessAllowed = result != null && result.getIsAllowed();
				isAuditEnabled = result != null && result.getIsAudited();
			
				if (LOG.isDebugEnabled()) {
					LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
				}
			}
			else {
				LOG.info("NULL User found from principal [" + user + "]: Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
			}
		}
	}
	catch(Throwable t) {
		LOG.error("RangerStormAuthorizer found this exception", t);
	}
	finally {
		RangerPerfTracer.log(perf);
		if (LOG.isDebugEnabled()) {
			LOG.debug("[req "+ aRequestContext.requestID()+ "] Access "
	                + " from: [" + aRequestContext.remoteAddress() + "]"
	                + " user: [" + aRequestContext.principal() + "],"
	                + " op:   [" + aOperationName + "],"
	                + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
		}
	}
	
	return accessAllowed;
}
 
Example 16
Source Project: RDFS   File: QueueManager.java    License: Apache License 2.0 4 votes vote down vote up
/**
 * Return true if the given {@link QueueManager.QueueOperation} can be 
 * performed by the specified user on the specified job in the given queue.
 * 
 * An operation is allowed either if the owner of the job is the user 
 * performing the task, all users are provided access for this
 * operation, or if either the user or any of the groups specified is
 * provided access.
 * 
 * If the {@link QueueManager.QueueOperation} is not job specific then the 
 * job parameter is ignored.
 * 
 * @param queueName Queue on which the operation needs to be performed.
 * @param job The {@link JobInProgress} on which the operation is being
 *            performed. 
 * @param oper The operation to perform
 * @param ugi The user and groups who wish to perform the operation.
 * 
 * @return true if the operation is allowed, false otherwise.
 */
public synchronized boolean hasAccess(String queueName, JobInProgress job, 
                              QueueOperation oper, 
                              UserGroupInformation ugi) {
  if (!aclsEnabled) {
    return true;
  }
  
  if (LOG.isDebugEnabled()) {
    LOG.debug("checking access for : " + toFullPropertyName(queueName, 
                                          oper.getAclName()));      
  }
  
  if (oper.isJobOwnerAllowed()) {
    if (job != null && job.getJobConf().getUser().equals(ugi.getUserName())) {
      return true;
    }
  }
  
  AccessControlList acl = aclsMap.get(toFullPropertyName(queueName, oper.getAclName()));
  if (acl == null) {
    return false;
  }
  
  // Check the ACL list
  boolean allowed = acl.allAllowed();
  if (!allowed) {
    // Check the allowed users list
    if (acl.getUsers().contains(ugi.getUserName())) {
      allowed = true;
    } else {
      // Check the allowed groups list
      Set<String> allowedGroups = acl.getGroups();
      for (String group : ugi.getGroupNames()) {
        if (allowedGroups.contains(group)) {
          allowed = true;
          break;
        }
      }
    }
  }
  
  return allowed;    
}
 
Example 17
Source Project: hadoop-gpu   File: QueueManager.java    License: Apache License 2.0 4 votes vote down vote up
/**
 * Return true if the given {@link QueueManager.QueueOperation} can be 
 * performed by the specified user on the specified job in the given queue.
 * 
 * An operation is allowed either if the owner of the job is the user 
 * performing the task, all users are provided access for this
 * operation, or if either the user or any of the groups specified is
 * provided access.
 * 
 * If the {@link QueueManager.QueueOperation} is not job specific then the 
 * job parameter is ignored.
 * 
 * @param queueName Queue on which the operation needs to be performed.
 * @param job The {@link JobInProgress} on which the operation is being
 *            performed. 
 * @param oper The operation to perform
 * @param ugi The user and groups who wish to perform the operation.
 * 
 * @return true if the operation is allowed, false otherwise.
 */
public synchronized boolean hasAccess(String queueName, JobInProgress job, 
                              QueueOperation oper, 
                              UserGroupInformation ugi) {
  if (!aclsEnabled) {
    return true;
  }
  
  if (LOG.isDebugEnabled()) {
    LOG.debug("checking access for : " + toFullPropertyName(queueName, 
                                          oper.getAclName()));      
  }
  
  if (oper.isJobOwnerAllowed()) {
    if (job.getJobConf().getUser().equals(ugi.getUserName())) {
      return true;
    }
  }
  
  AccessControlList acl = aclsMap.get(toFullPropertyName(queueName, oper.getAclName()));
  if (acl == null) {
    return false;
  }
  
  // Check the ACL list
  boolean allowed = acl.allAllowed();
  if (!allowed) {
    // Check the allowed users list
    if (acl.getUsers().contains(ugi.getUserName())) {
      allowed = true;
    } else {
      // Check the allowed groups list
      Set<String> allowedGroups = acl.getGroups();
      for (String group : ugi.getGroupNames()) {
        if (allowedGroups.contains(group)) {
          allowed = true;
          break;
        }
      }
    }
  }
  
  return allowed;    
}
 
Example 18
Source Project: ranger   File: RangerHiveAuthorizer.java    License: Apache License 2.0 3 votes vote down vote up
private Set<String> getGrantorGroupNames(HivePrincipal grantorPrincipal) {
	Set<String> ret = null;

	String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null;

	UserGroupInformation ugi = StringUtil.isEmpty(grantor) ? this.getCurrentUserGroupInfo() : UserGroupInformation.createRemoteUser(grantor);

	String[] groups = ugi != null ? ugi.getGroupNames() : null;

	if (groups != null && groups.length > 0) {
		ret = new HashSet<>(Arrays.asList(groups));
	}

	return ret;
}